Most have heard about the massive data breach at Epsilon, a large email marketing services company. We here at BenSwenson.com have reason to believe that Intuit - makers of TurboTax, Quickbooks and other financial applications - have had a similar breach that predates Epsilon's woes.

First, some context: When signing up for accounts with websites, I typically use a unique email address. This unique address will contain an abbreviated description of the website or service being utilized. By doing this, emails can be filtered based on the address they were sent to, companies that distribute email addresses to spammers can be tracked and my primary accounts can be in large part protected from junk mail.

In February, scam emails began to pour in to an email address used to sign up for Intuit's It's Deductible service. The uniqueness of this email address is certain, and the address on the spam messages even included a misspelling made when the account was created. Moreover, this email address was used only when signing up for and signing in to the It's Deductible service. This leaves three possibilities.

Possibility one: Hackers compromised the BenSwenson.com server and obtained a list of email accounts. While this can't be discounted entirely, two items indicate this is not the problem. Firstly, no other accounts on my server have received this kind of spam message. Secondly, several of the spam messages have referenced Intuit products specifically, a form of social engineering known as "spear phishing" that might be expected if Intuit was the known source.
Possibility two: The email address was created via a dictionary attack or random address generator. Again, however, this is an extremely unlikely scenario given the complexity of the address, the misspelling found in the address and the fact other addresses have not received this kind of email.
Possibility three: Intuit data were in some way compromised - either externally or internally - leading to the release of at least email addresses of some members of their client base. This possibility is the most likely and fits the facts most closely.

Attempts were made to contact Intuit about this potential issue. A customer service chat resulted in an email exchange with their email abuse department. These email exchanges resulted only in repeated assurances that Intuit didn't send the email, that phishing emails were a Bad Thing and that drones are not allowed to go outside of their prepared script.

The evidence appears to show that Intuit has suffered a data breach similar to Epsilon and is moreover unwilling to even research that possibility.